Bank contractors offer 'back door' to cyber thieves - NY regulator

Too many banks are vulnerable to cyber-security breaches through their third-party vendors, a New York regulator announced. They have promised swift action to beef up security at financial institutions.

During a survey of 40 banks, the New York Department
of Financial Services (NYDFS) discovered that thirty percent do
not require their third-party vendors to notify them of any cyber
security breaches that they have taken place.

To make matters worse, fewer than half conduct on-site security
assessments of their vendors, while twenty-one percent do not
even require their vendors to abide by minimum information
security requirements.

“A bank's cyber security is often only as good as the cyber
security of its vendors,” NYDFS superintended Benjamin M.
Lawsky said in a statement. “Unfortunately, those third-party
firms can provide a backdoor entrance to hackers who are seeking
to steal sensitive bank customer data.”

The NYDFS is now considering imposing cyber-security requirements
for banks that would apply to their relationship with third-party
service providers. The “high-risk vendors” are defined by the
regulator as being, check and payment processors, trading and
settlement operations, and data processing companies.

“We will move forward quickly, together with the banks we
regulate, to address this urgent matter,” Lawsky said.

For the purposes of the report, banks were categorized as “small”
if their assets were less than $100 billion, “medium” if their
assets were between $100 billion and $1 trillion, and “large” if
their assets exceeded $1 trillion.

Large banks are twice as likely as small ones to require their
third-party vendors to certify their data and products are free
of viruses, the report indicates.

Just one in three banks surveyed by New York require their
security vendors to notify them of a cyber breach http://t.co/RvBNYJP9in

“The report does name particular institutions to help ensure
we receive candid answers and so as to not reveal vulnerabilities
at specific firms that could be exploited," NYDFS spokesman
Matthew Anderson told Courthouse News Service.